Maintain roles/groups/permissions of enterprise connection users before first login?

I want to maintain a user’s roles before his or her first login ever.

The user’s digital identity already exists within the enterpise’s Active Directory (he or she would definitely use an enterprise connection / ADFS) and thus the user’s existance is already known to me but yet unkown to Auth0 (and the Authorization Extension) .

Nevertheless I’d like to do proper upfront provisioning and to provide a good UX by the user after the very first login already being able to use a specific application in the first place and by him or her being immediately authorized within the application.

What would be the best/recommended approach for this to be done?

1 Like

I’m not sure if this is best practice, but I set up a Rule like so:

function (user, context, callback) {
  if (context.connectionStrategy === 'samlp'){
    // make an ajax call to check if user is already provisioned
    // update app_metadata or anything else if necessary

  // no saml connection detected, just continue
  return callback(null, user, context);